Procurement-ready artefacts shipped EU residency — Hetzner Nuremberg Self-hosted & hybrid available

Enterprise.
What procurement actually needs.

A short, honest page for security, legal and procurement teams. Every artefact below is downloadable today; every claim points at a file you can read or a control you can exercise. No fabricated certifications, no nine-fives we can't measure, no logos we don't have. For the architectural argument and per-framework status, see the Trust Center and Compliance.

Talk to a human, not a queue

Enterprise procurement, custom MSA edits, volume-pricing requests, EU invoice billing and self-hosted licensing all route to one address. Median first response is one business day, quoted against your purchase decision date, not a marketing wishlist.

01 — Procurement readiness

The artefacts your security review will ask for.

All of these are linked publicly — no NDA required for the templates. Counter-signed copies (DPA, BAA) are returned within two business days of an enterprise request.

Contracts
DPA · BAA · MSA
  • GDPR Article 28 DPA — public template at /legal/dpa. Counter-signed copy on request.
  • HIPAA BAA template — at /legal/baa.html. Offered for procurement completeness; CloakAPI is structurally outside the Business Associate definition because plaintext PHI is tokenised on the customer device before egress.
  • Master Service Agreement — base terms at /legal/terms. Custom MSA available for enterprise; redlines welcome.
Need a custom DPA edit or jurisdictional rider? legal@cloakapi.io
Security questionnaires
CAIQ · SIG-lite · custom RFP
  • CSA CAIQ-lite — pre-filled across 50 controls (CCM v4) at /legal/caiq. Updated on every architectural change.
  • SIG-lite — completed on request; turnaround typically three business days.
  • Custom RFP — send your spreadsheet to trust@cloakapi.io. We answer the questions we can and mark the rest "Not yet certified — see /compliance" rather than padding.
CAIQ source format is plain Markdown — diffable across versions.
Operational
Sub-processor list · BCP · security.txt
Subscribe to sub-processor change notifications: trust@cloakapi.io
Posture
Privacy · Insurance · Disclosure
  • Privacy posture — what we collect, what we never see, retention windows, GDPR/UK-DPA basis at /legal/privacy.
  • Insurance summary — at /legal/insurance.html. Certificate-of-insurance copy on request.
  • Coordinated vulnerability disclosure — scope, safe-harbour, response SLAs at security.cloakapi.io.
02 — Deployment options

SaaS, self-hosted, or hybrid.

Three shapes of the same product. Pick the one that fits your data-residency constraints and your operations team's appetite. The privacy invariant — plaintext is tokenised on the customer device before any byte leaves it — holds in all three.

Default
SaaS
  • Hosting — Hetzner Nuremberg (DE). Gateway, signing infrastructure, billing metadata and staff audit log all stay in-region.
  • Edge — Cloudflare, EU data localisation pinned.
  • Onboarding — sign up, paste an API key, ship.
  • Best for — EU-domiciled customers who want zero ops overhead and Article 28 SCCs already wired in.
List pricing on /pricing — three flat rates, no plan tiers or per-seat charges.
Customer-managed
Self-hosted
  • Distribution — signed Docker Compose bundle and Helm chart. Same binaries as SaaS.
  • Master KEK — generated on customer hardware (HSM-backed if present); never leaves the customer perimeter. CloakAPI never holds it.
  • Updates — pull from a signed registry on a schedule you control. Air-gapped image bundles available.
  • Best for — regulated customers (health, finance, public sector) whose policy forbids any third-party hosting.
Self-hosted licensing is annual, paid in USD by invoice. Quote from enterprise@cloakapi.io.
Split control plane
Hybrid
  • Gateway — runs in your VPC (AWS, GCP, Azure, on-prem). All plaintext-adjacent code paths execute on customer hardware.
  • Signing keys — generated and stored customer-side; CloakAPI publishes only the public JWKS.
  • Control plane — billing, transparency-log archival, customer-portal SaaS-side, with no plaintext or token material crossing the boundary.
  • Best for — large customers that want SaaS ergonomics for billing/admin but a hard residency boundary for the data path.
Reference architecture diagram on request.
02b — The central-proxy pattern

One proxy for the whole company.

Instead of adding the SDK to every app, run one central cloak-proxy on your own network — a server or container you control — and route all your apps through it (change one base_url). PII is tokenised on that proxy, inside your perimeter, before any byte leaves it; only tokens reach the CloakAPI gateway. One place to configure detectors and privacy tiers, one place to update, every app protected.

Configure once
Central control
  • One config surface — detector policy, privacy tier and key management live on the proxy, not scattered across every service.
  • One update path — upgrade the proxy image on your schedule; every downstream app inherits it.
  • No per-app SDK — legacy services that can't take a library still get client-side tokenisation.
Inside your perimeter
Tokenised before egress
  • Plaintext stays home — tokenisation happens on the proxy on your own network; the gateway sees only tokens.
  • Locked upstream — the official cloak-proxy routes only through the CloakAPI gateway (blind relay + metering), never direct to a provider.
  • Same receipts — every call still returns a signed receipt your auditors verify offline.
Pipeline: your apps → central proxy (tokenise) → CloakAPI gateway → provider. BYOK 5% or pooled keys 15%.
02c — Platform capabilities

The platform your rollout actually needs.

Everything below ships on every account at the same flat rates — there is no "Enterprise plan" that unlocks them. Organisations, identity, compliance automation, event streams and a partner programme are all built in and wired today.

Organisations, teams & roles
Org / team RBAC
  • Organisations & members — invite your team, manage members, transfer ownership.
  • Role-based access — tenant roles (owner, billing, developer, read-only, auditor, member and more) gate every sensitive action.
  • Self-service lifecycle — org data deletion with a grace period; nothing locked behind a support ticket.
Identity & provisioning
SSO & SCIM
  • SAML 2.0 + OIDC — self-service single sign-on config against your IdP (Okta, Entra, Authentik, …).
  • SCIM 2.0 — automated user and group provisioning / de-provisioning.
  • Audit-log streaming — export the staff-action and access audit log to your SIEM.
Compliance & events
GRC connectors & webhooks
  • Evidence push — one-click connectors stream compliance evidence to Vanta, Drata, OneTrust, Secureframe and AuditBoard.
  • Signed webhooks — subscribe to receipt, billing and audit events; CRUD endpoints, secret rotation and replay.
  • Org-level compliance packs — retention, encryption-at-rest and control config attested in the receipt as an org-config hash.

Partner, reseller & white-label programme. Resellers, MSPs and agencies run customer sub-organisations under their own branded domain (custom CNAME + logo), with a commission ledger, settlements and tax forms handled for them. See the partner programme and the commission structure on /pricing.

03 — SLA & support tiers

What we commit, with the receipts to back it.

Uptime numbers below are the same figures the public status page reports — no inflated "five nines" claim that we can't measure. The full SLA contract lives at /legal/sla.html; the live measurement is at status.cloakapi.io.

01
Standard
  • Uptime target — 99.5% gateway availability, measured monthly.
  • Support — email, business hours CET, next-business-day first response.
  • Status — public page; SEV-3+ postmortem within 5 business days.
  • Included — every paid account (no plan tiers; same flat rates for everyone).
03
Enterprise
  • Uptime target — 99.9% with a custom escalation matrix; we will not contractually claim 99.99% / 99.999% until our measurement data supports it.
  • Support — SEV-1 outages worked as soon as detected, including out-of-hours via automated paging (best-effort); target first-response times per the SLA; a direct line to the operator, not a ticket queue.
  • Custom — custom MSA, custom DPA edits, regional residency, VPC peering, SSO/SCIM, audit-log streaming.
  • Best for — annual contracts, self-hosted, or hybrid deployments.

Live uptime is measured per-component on status.cloakapi.io; SLO definitions and the error-budget policy are documented at /legal/sla.html. We will not show "Current" on a target we don't have at least 90 days of measurement evidence for.

04 — Buying motion

How an enterprise order gets placed.

A short, predictable path from first contact to signed contract. Median time-to-signature for the last few enterprise deals has been three to six weeks, gated almost entirely on your security review.

Contact & pricing

Email enterprise@cloakapi.io with a one-line description of your use case and rough volume (requests/month or seats). You'll get a custom quote within two business days. List pricing — three flat rates, no plan tiers — is on /pricing.

Contracting

Custom MSA available; redlines welcome. DPA counter-signed within two business days of an enterprise request. Order forms are short — one schedule per environment, one per region.

Billing

Bank transfer and invoice billing in USD for annual orders above $25,000. Card and Stripe-tokenised payment for smaller commitments. Net-30 standard; net-60 on enterprise terms.

Security review

CAIQ-lite, SIG-lite, custom questionnaires, audit-letter requests and architecture reviews all go through trust@. Median turnaround on a completed CAIQ: three business days.

05 — What's verifiable today

You don't have to take our word for it.

Most enterprise vendors hand you a marketing PDF. CloakAPI hands you a verifier. Every gateway response carries a cryptographic receipt your auditor can check offline, and every tenant has an append-only transparency feed that proves we never silently rotated a signing key or shadow-swapped routing policy.

Signed receipts

OpenReceipt: ECDSA P-256 signed, canonical-hash chained. The independent verifier at signedreceipts.org/verifier requires no CloakAPI account and never sends the receipt back to us.

Per-tenant transparency log

Append-only JSONL feed of cryptographic seeds, signed under the same P-256 keys as receipts. Lets any auditor confirm the signing-key history is monotonic and the routing policy you signed up for is the routing policy you got.

GET https://api.cloakapi.io/v1/transparency/seeds.jsonl